[Webkit-unassigned] [Bug 51134] Move loading related code from MemoryCache to CachedResourceLoader
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Jan 9 12:58:19 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=51134
Dimitri Glazkov (Google) <dglazkov at chromium.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dglazkov at chromium.org
--- Comment #11 from Dimitri Glazkov (Google) <dglazkov at chromium.org> 2011-01-09 12:58:18 PST ---
(In reply to comment #10)
> (From update of attachment 76761 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=76761&action=review
>
> > WebCore/ChangeLog:19
> > + * css/CSSImageValue.cpp:
> > + (WebCore::CSSImageValue::cachedImage):
> > +
> > + Remove a code path that called MemoryCache::requestResource directly. This code path would have crashed
> > + if ever taken (since it passes null CachedResourceLoader pointer).
>
> Are you sure this is the case? I have a sneaking suspicion that this change is causing random memory heap corruption issues, as being investigated here:
>
> http://code.google.com/p/chromium/issues/detail?id=68516
Following this trail:
CSSImageValue::cachedImage is only called from CSSStyleSelector::loadPendingImages, which is in turn called by:
CSSStyleSelector::styleForElement
CSSStyleSelector::styleForPage
CSSStyleSelector::pseudoStyleForElement
CSSStyleSelector::keyframeStylesForAnimation
Since, in cachedImage(), the "loader" is document()->cachedResourceLoader() and returns an OwnPtr, could any of the methods above be invoked after the Document is destroyed?
If they could, we can have memory corruption. Right?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list